I liked the recent whitepaper on some newly found memory
leak security exploits with today’s most popular password managers (https://www.securityevaluators.com/casestudies/password-manager-hacking).
I use a password manager myself, even after having been aware of them being
previously exploitable. I think the author does a great job at pointing out the
flaws, fixes, while still not disparaging people away from them. It’s rare you
get such a balanced article that isn’t trying to scare you into a knee-jerk
reaction. But I can predict that some password manager critics will probably
jump on the bandwagon about “how insecure password managers really are”. It’s
the nature of the field we occupy.

But here are some key points related to the report and it’s
findings that I think can be teachable moments:

Pre-Requisites Matter

If an exploit requires that the attack have complete
admin control of the device being exploited before it can be successfully
exploited, it’s not that big of an threat. It’s not clear from the password
manager whitepaper if elevated access was needed to find all the memory leaks,
but usually Windows prevents widespread memory leaks without first obtaining the
highest possible privileges on the device being searched. If the password
manager hacks didn’t require privilege, then they become a little bit more
interesting. If not, less so.

This is not to say that any exploit, even one that does
require privileges first, isn’t useful to know about. Any hack that could lead
an attacker to more easily accessing privileged information or access than previously
known is good to know about. It’s just less startling and less worrisome.

The Problems Are Yours Even When They Aren’t Caused By
You

Some of the password manager vendors have responded to
the report by mentioning, at least in partial response, that the underlying
found vulnerabilities are actually problems with the way Windows does memory
management, and is not necessarily a direct flaw due to something they did or
didn’t do. While this may be true, any flaw due to any reason that impacts the
security protection and claims of a product are the vendor’s responsibility to
mitigate.

Our products run in an all-encompassing environment which
includes the product and anything it relies on. The customer doesn’t care if
the found vulnerability is due to coding in the targeted product or due to a
reliance. They just know that the vendor made a particular security claim, and
in totality, on a real system, that claim was broken. Vendors could improve
their responses by lessening fingerpointing and figuring out how to mitigate
the found problem. It will save you time in making your customers happier.

Every Security Solution Just Moves Risk

I like password managers because they help mitigate one
of the biggest authentication problems we have, that of trying to make sure we
use long, complex, and different passwords across different security domains
and web sites. But they come with their own risks, such as the ones focused on
in this latest paper (i.e. memory leaks), and have many more, such as
single-point-of-failure, where if a bad guy gains access to your computer
running a password manager, they can now get immediate access to every stored
password (instead of just getting a single password by hacking one web site you
belong to).

Every computer security solution comes with its own
benefits and disadvantages. Most are simply diminishing risk in one area, but
are often opening up new or increased risk in other areas. Security solutions
are not only security and usability trade-offs, but risk trade-offs. There is
no perfect solution that simply decreases risk all the way around in all areas.
We are just moving it around.

Not sure why I decided to write all of that based upon a
password manager exploit whitepaper, but I did. Cheers.

This was the response from the software companies in regards to that report.

It was because of the vendor's replies that I wrote this particular article. They are responding in ways that will not be helpful to them as they think. They, like all vendors in similar situations, will eventually try to mitigate the found issues. It's just a question of how long until them come around to the realization. I've worked for popular software vendors for 20 years...I speak from experience. It's a cycle of maturity.

This person is a verified professional.

As an honest question - my understanding (which could be wrong) is that the vulnerability report is saying once a password manager unlocks a password for use, it's not clearing it out again to prevent harvesting. Doesn't it have to be decrypted and available in some form in memory to be usable, whether by the manager itself or the target (in cases of application or website autofill) ? For item level/target passwords, how is the password manager supposed to know when the password has been used, so that it can clear it out of memory?

An additional point I'm questioning is in regards to the Dashlane vulnerability, which seems the most egregious to me, is that they don't specify whether they were able to run their proof of concept before or after starting Dashlane for the first time and logging in at least once. Their definition of 'Locked' contains both 'Launched but not logged in' AND 'launched, logged in, then locked' - which are two very different states of use.

I do understand the issue with password managers not sanitizing memory after reverting back to a 'locked' state, but I also noted that the report points out some of these application issues occur DURING the transition from unlocked to locked state, which means the memory is already being monitored and the system is compromised before security is applied. With 1Password, this is what they are doing - monitoring the program activity as it's in use to get the decoded password, which has to be decoded in order for it to be used by the software. (Fig 2 and Fig3)

EDIT: You did a better overall explanation while my brain went on a nitpick of details..

This person is a verified professional.

I very much like my password manager. I have so many accounts and credentials that if I tried to have a unique password for them all, I would assuredly forget some of them. Especially since I like to change all of my passwords every month to three months. Using a password manager means I only have to remember one password, which I change every two weeks. I find that much more doable.

This person is a verified professional.

Hey Roger thanks for sharing. Nice balanced write up. I am seeing an increased amount of password rack attempts on my network, I would much rather my users use a password manager to mix things up. However now I need to keep in mind some of the advice from this article, thanks man :)